Microsoft has released patches for a newly disclosed Office zero-day, CVE-2026-21509, which it says is being actively exploited and was discovered by its own researchers. The flaw bypasses OLE mitigations and requires a user to open a malicious Office file, suggesting targeted espionage, and CISA has added CVE-2026-21509 to its KEV catalog with a February 16 remediation deadline. #CVE-2026-21509 #MicrosoftOffice
Keypoints
- Microsoft released patches for CVE-2026-21509 across affected Office versions.
- Microsoft is aware of active exploitation and its researchers discovered the in-the-wild attacks.
- The vulnerability allows bypassing security by relying on untrusted inputs and circumvents OLE/COM mitigations.
- Exploitation requires convincing a user to open a malicious Office file, indicating targeted, high-value operations.
- CISA added the CVE to its KEV catalog with a February 16 remediation deadline and mitigations are available for unpatched systems.
Read More: https://www.securityweek.com/microsoft-patches-office-zero-day-likely-exploited-in-targeted-attacks/